java 如何在不暴露密码的情况下连接到需要密码的数据库?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11093092/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to connect to a database that requires password without exposing the password?
提问by ceklock
I am creating an application and I need to connect to a database. The database requires login/password so the application can do operations like select and insert.
我正在创建一个应用程序,我需要连接到一个数据库。数据库需要登录名/密码,因此应用程序可以执行选择和插入等操作。
In the application I need to connect to the database using login and password, so the application is free to do some tasks on the database. My question is: how do I store and use a password to connect to the database without exposing the password?
在应用程序中,我需要使用登录名和密码连接到数据库,因此应用程序可以自由地对数据库执行一些任务。我的问题是:如何在不暴露密码的情况下存储和使用密码连接到数据库?
I can't simply use a hash or encryption to store the password because the database must recognize the password (I think most or all databases must receive password as plain text).
我不能简单地使用散列或加密来存储密码,因为数据库必须识别密码(我认为大多数或所有数据库都必须以纯文本形式接收密码)。
.
.
.
.
Note: The connection is made by the application. No human input to do the connection.
注意:连接是由应用程序建立的。无需人工输入即可进行连接。
(Edit)More info about the application: it is a web application using servlets/jsp. The database is on the same server of the application. The user for the application is a default user without complete admin powers, but it may insert/delete rows and do most things that involve queries and data modification in tables.
(编辑)有关该应用程序的更多信息:它是一个使用 servlets/jsp 的 Web 应用程序。数据库位于应用程序的同一台服务器上。应用程序的用户是默认用户,没有完整的管理权限,但它可以插入/删除行并执行大多数涉及查询和表中数据修改的操作。
采纳答案by Bohemian
The usual way this is done is to externalize the username/password to a property/config filewhich is read at runtime (whether or not you use native JDBC/JNDI/CDI/J2EE datasource/etc).
通常的做法是将用户名/密码外部化为在运行时读取的属性/配置文件(无论您是否使用本机 JDBC/JNDI/CDI/J2EE 数据源/等)。
The file is protected via the O/S security by the sysadmins.
该文件由系统管理员通过 O/S 安全保护。
The O/S has better tools for protection than app code.
操作系统具有比应用程序代码更好的保护工具。
回答by Horse Voice
You should use a config file for this. use spring with JDBC to make your life easier!
您应该为此使用配置文件。将 spring 与 JDBC 结合使用,让您的生活更轻松!
http://www.youtube.com/watch?v=f-k823MZ02Q
http://www.youtube.com/watch?v=f-k823MZ02Q
Checkout the above awesome tutorial on the Spring framework and using JDBC. Watch all of his JDBC and spring tutorials. BTW, he covers how to store passwords in config files and wire beans etc.. Hope this helps.
查看上面关于 Spring 框架和使用 JDBC 的精彩教程。观看他的所有 JDBC 和 spring 教程。顺便说一句,他介绍了如何在配置文件和电线 bean 等中存储密码。希望这会有所帮助。
回答by JR Galia
You can use jasyptfor the encryption.And store the username and password to datasource.properties file.
您可以使用jasypt进行加密。并将用户名和密码存储到 datasource.properties 文件中。
public Connection getConnection() throws IOException{
try{
BasicTextEncryptor encryptor = new BasicTextEncryptor();
encryptor.setPassword("jasypt");
Properties props = new EncryptableProperties(encryptor);
props.load( this.getClass().getResourceAsStream("datasource.properties") );
String driver = props.getProperty("datasource.driver");
String url = props.getProperty("datasource.url");
String userName = props.getProperty("datasource.userName");
String password = props.getProperty("datasource.password");
Class.forName(driver);
Connection conn = DriverManager.getConnection(url, userName, password);
conn.setAutoCommit(false);
return conn;
} catch(ClassNotFoundException e) {
e.printStackTrace();
return null;
} catch(SQLException e) {
e.printStackTrace();
return null;
}
}
回答by duffymo
If it's a web app, deploy it on a Java EE app server and connect using a JNDI resource. Only the admin who set up the JNDI data resource needs to know about the credentials needed to connect. Users and developers don't even have to know them; just the JNDI lookup name.
如果是 Web 应用程序,请将其部署在 Java EE 应用程序服务器上并使用 JNDI 资源进行连接。只有设置 JNDI 数据资源的管理员需要知道连接所需的凭据。用户和开发人员甚至不必认识他们;只是 JNDI 查找名称。
It's not possible to completely eliminate the need for someone besides the database owner to know the username and password, but it is possible to restrict that knowledge to the app server owner.
不可能完全消除数据库所有者以外的其他人知道用户名和密码的需要,但可以将这种知识限制在应用服务器所有者身上。
You are also well advised to create separate credentials just for that application and GRANT it the minimum access and permissions needed to accomplish its tasks. There should be no knowledge of system tables or any other resources outside the province of the application. IF DELETE permission isn't necessary, don't grant it. If access should only be read only, that's what you should GRANT to that credential.
还建议您仅为该应用程序创建单独的凭据,并为其授予完成其任务所需的最低访问权限和权限。不应该了解系统表或应用程序范围之外的任何其他资源。如果不需要 DELETE 权限,则不要授予它。如果访问权限只能是只读的,那么您应该授予该凭据。
